Password manager saves turing numbers

RESOLVED WORKSFORME

Status

()

Toolkit
Password Manager
--
enhancement
RESOLVED WORKSFORME
12 years ago
8 years ago

People

(Reporter: Hrvoje Novosel, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060404 SeaMonkey/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060404 SeaMonkey/1.0.1

When using password manager to save passwords it also saves turing numbers so every time you login you create a new entry in the password manager, since the turing number is random.

Reproducible: Always

Steps to Reproduce:
Try to login to a site that requires a turing number (for anti-robot check).
(Reporter)

Comment 1

12 years ago
Forgot to mention some additional info...the turing number I'm testing with is an input type=text that has autocomplete="off" attribute, this works well for Firefox (it doesn't save the turing number) but Mozilla (SeaMonkey) seems to be ignoring the attribute.
(In reply to comment #1)
> input type=text that has autocomplete="off" attribute, 
> this works well for Firefox (it doesn't save the turing number)
> but Mozilla (SeaMonkey) seems to be ignoring the attribute.

Do you set wallet.crypto.autocompleteoverride=true when Mozilla?

See http://ilias.ca/mozilla/browserfaq/Autocomplete/
See also http://preferential.mozdev.org/preferences.html.
(Reporter)

Comment 3

12 years ago
Nope, just checked and its false
Your HTML is probably following order.
   <input type="text" ...> (<= for the "turing number", autre ocomplete=off)
   <input type="password" ...>
What will happen when dummy <input> is added to HTML? ("xxx" is constant)
 (Case-1)
   <input type="text" name="username" value="xxx" ...>
   <input type="text" ...> (<= for the "turing number", autocomplete=off)
   <input type="password" ...>
 (Case-2)
   <input type="text" ...> (<= for the "turing number", autocomplete=off)
   <input type="text" name="username" value="xxx" ...>
   <input type="password" ...>
Which data will be used as "UserName" field by password manager of Mozilla? 
What data will be used as "UserName" field by password manager of Firefox?

By the way, see Bug 222589 for difference between Mozilla and Firefox.
Password manager of Firefox was changed from password manager of Mozilla, in order to avoid problems when Mozilla such as Bug 153986.
One of major differences is:
 Mozilla' password manager saves other data fileds in addition to one username
 field and one password field. But password manager of Firefox saves one
 username field and one password filed only.
Logic to choose "Username" data for password manager's entry is probably different when autocomplete=off is set for filed for username.
What data is currently used as "Username" of password manager entry by Firefox?
Null?
(Reporter)

Comment 5

12 years ago
The HTML is in this order:
<input type="text" name="uname" ... >
<input type="password ... >
<input type="text" name="turing_number" autocomplete="off" ... >

I've made a page for testing:
http://www.crovortex.com/tmp/seamonkey.html

...I understand that Mozilla saves additional fields besides user/pass, but this field has an autocomplete="off" attribute. Doesn't that mean that it shouldn't save it?
(In reply to comment #5)
> The HTML is in this order:
> <input type="text" name="uname" ... >
> <input type="password ... >
> <input type="text" name="turing_number" autocomplete="off" ... >
> 
> I've made a page for testing:
> http://www.crovortex.com/tmp/seamonkey.html

When I entered "xxx" for uname and "1234" for turing_number, password manager of Semonkey 2006040309-trunk/Win-2K saved data with Username=xxx, and filled all of three fields by saved data when next page load.

Following sites say "autocomplete=off is attribute of <form>".
 http://developer.mozilla.org/en/docs/How_to_Turn_Off_Form_Autocompletion
 http://gthelp.com/showthread.php?t=31944
Is autocomplete=off on <input> valid?
If supported by IE, does Mozilla/Seamonkey really support autocomplete=off on <input>?
How about Firefox?
(Reporter)

Comment 7

12 years ago
So I guess this is not a bug, instead it should be a "feature request"...it would be nice if the autocomplete=off would work on input fields, it's the easiest way to solve the turing number issue which is present in a lot of sites.

...or an alternative option, saving password manager entries so that only 1 identical user/pass entry per form per URL would be allowed (this would still save the "wrong" turing number, but there would be only 1 entry...the next time a users logs in on that site and writes a different turing number it would overwrite the previous password manager entry instead of add a new one). For example, to identify individual entries, something like this could be used: form_name.http://www.domain.com/somepage.html (or if form name is missing, a numeric identifier ie 1 for first form, 2 for second form on that site etc.)

PS: Another interesting thing, after testing with IE it seems that autocomplete=off on an input field turns off autocomplete for the entire form that field is a part of...so basicly for IE setting autocomplete=off on an input is identical to autocomplete=off on a form. It would be much better if it really would work on a per-field basis (same for Mozilla/Semonkey if it gets implemented).
(In reply to Comment #7)
> it would be nice if the autocomplete=off would work on input fields,
> it's the easiest way to solve the turing number issue which is present
> in a lot of sites.

How about adding value="????" in your <input type="text" name="turing_number"> ?
"????" in turing_number field can be accepted by users as indicator of "type in is required", and "turing_number=????" is very easily be handled as "not typed in yet" by server side application or clienet side JavaScript.

There are three possible ways, I think.
 1. Change to Severity=Enhancement, if you really want the enhancement, 
    and if it will be really needed by many many web site developers.
 2. Change to Product=Tech Evangelism (Site correction request).
 3. Close as INVALID.
It's up to you.
(Reporter)

Comment 9

12 years ago
(In reply to comment #8)
> How about adding value="????" in your <input type="text" name="turing_number">
> ?
> "????" in turing_number field can be accepted by users as indicator of "type in
> is required", and "turing_number=????" is very easily be handled as "not typed
> in yet" by server side application or clienet side JavaScript.

yeah, but thats not the "problem"...the problem is that once you actually do type something in, and click save/submit/send the browser's password manager creates a new entry in its data. So the next time you would come to this site you would have a dialog pop-up asking you to select which username you want to use (although its the same user/pass combination in all entries)...and the number of options in that dialog increases by 1 every time you visit the site

...changed to enchancement
Severity: normal → enhancement
Assignee: dveditz → nobody
Depends on: 390025
OS: Windows XP → All
QA Contact: privacy
Hardware: PC → All
Version: unspecified → Trunk

Comment 10

8 years ago
SeaMonkey is now using toolkit/satchel
Component: Passwords & Permissions → Password Manager
Product: SeaMonkey → Toolkit
QA Contact: privacy → password.manager
From the description I think this case should work fine with the toolkit password manager. If it doesn't, repoen with output from https://wiki.mozilla.org/Firefox:Password_Manager_Debugging
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.